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Preface 


Our societies are becoming increasingly dependent on emerging technologies and 
connected computer systems that are increasingly trusted to store, process, and 
transmit sensitive data. While generally beneficial, this shift also raises many secu¬ 
rity and privacy challenges. The growing complexity and connectivity offers adver¬ 
saries a large attack surface. In particular, the connection to the Internet facilitates 
remote attacks without the need for physical access to the targeted computing- 
platforms. Attackers exploit security vulnerabilities in modern software with the 
ultimate goal of taking control over the underlying computing platforms. There are 
various causes of these vulnerabilities, the foremost being that the majority of soft¬ 
ware (including operating systems) is written in unsafe programming languages 
(mainly C and C++) and by developers who are by-and-large not security experts. 

Memoiy errors are a prominent vulnerability class in modern software: they 
persist for decades and still are used as the entry point for today’s state-of-the- 
art attacks. The canonical example of a memoiy error is the stack-based buffer 
overflow vulnerability, where the adversary overflows a local buffer on the stack, 
and overwrites a function’s return address. While modern defenses protect against 
this attack strategy, many other avenues for exploitation exist, including those that 
leverage heap, format string, or integer overflow vulnerabilities. 

Given a memoiy vulnerability in the program, the adversaiy typically provides a 
malicious input that exploits this vulnerability to trigger malicious program actions 
not intended by the benign program. This class of exploits aims to hijack the control 
flow of the program and differs from conventional malware, which encapsulates 
the malicious code inside a dedicated executable that needs to be executed on the 
target system and typically requires no exploitation of a program bug. 

As mentioned above, the continued success of these attacks is mainly attributed 
to the fact that large portions of software programs are implemented in type-unsafe 
languages (C, C++, or Objective-C) that do not guard against malicious program in¬ 
puts using bounds checking, automatic memory management, etc. However, even 
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type-safe languages like Java rely on virtual machines and complex runtimes that 
are in turn implemented in type-unsafe languages out of performance concerns. 
Unfortunately, as modern applications grow more complex, memory errors and 
vulnerabilities will likely continue to exist, with no end in sight. 

Regardless of the attacker’s method of choice, exploiting a vulnerability and 
gaining control over an application’s control flow is only the first step of an attack. 
The second step is to change the behavior of the compromised application to per¬ 
form malicious actions. Traditionally, this has been realized by injecting malicious 
code into the application’s address space, and later executing the injected code. 
However, with the widespread enforcement of data execution prevention (DEP), 
such attacks are more difficult to launch today. Unfortunately, the long-held as¬ 
sumption that only code injection posed a risk was shattered with the introduction 
of code-reuse attacks, such as return-into-libc and return-oriented programming 
(ROP). As the name implies, code-reuse attacks do not require any code injection 
and instead repurpose benign code already resident in memory. 

Code-reuse techniques are applicable to a wide range of computing platforms: 
x86-based platforms, embedded systems running on an Atmel AVR processor, mo¬ 
bile devices based on ARM, PowerPC-based Cisco routers, and voting machines de¬ 
ploying a z80 processor. Moreover, the powerful ROP technique is Turing-complete, 
i.e., it allows an attacker to execute arbitrary malicious code. 

In fact, the majority of state-of-the-art run-time exploits leverage code-reuse 
attack techniques, e.g., against Internet Explorer, Apple QuickTime, Adobe Reader, 
Microsoft Word, or the GnuTLS library. Even large-scale cyberattacks such as the 
popular Stuxnet worm, which damaged Iranian centrifuge rotors, incorporated 
code-reuse attack techniques. 

Indeed, even after more than three decades, memory corruption exploits remain 
a clear and present danger to the security of modern software and hardware plat¬ 
forms. This is why the research community both in academia and industry have 
invested major efforts in the recent past to mitigate the threat. Various defenses 
have been proposed and even deployed by Google, Microsoft, Intel, etc. The most 
prominent defenses are based on enforcement (e.g., Control-Flow Integrity [CFI]) 
or randomization (also known as software diversity) of certain program aspects. 
Both types of defenses have distinct advantages and disadvantages. Randomiza¬ 
tion makes it hard for attackers to chain together their attack gadgets, is efficient, 
and can be applied to complex software such as web browsers. It can have different 
levels of granularity, from a simple Address Space Layout Randomization (ASLR) 
to fine-grained randomization at function or even instruction level. However, ran¬ 
domization requires high entropy and all randomization schemes are inherently 
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vulnerable to information leakage. CFI, on the other hand, provides guarantees 
that the application does not deviate from the intended program flow, yet it re¬ 
quires a security and efficiency tradeoff: i.e., coarse-grained CFI have been shown 
to be vulnerable, and fine-grained CFI can be inefficient without hardware support. 
Researchers have been working on improving these schemes with novel ideas in 
both software and hardware design. Many proposed defenses have been bypassed 
by other attacks, generating a large body of literature on this topic. 

It seems that the arms race between attackers and defenders continues. Al¬ 
though researchers have raised the bar for adversaries, there are still a number of 
challenges to tackle against sophisticated attacks. Despite all the recent proposals 
on various defenses, we cannot claim that the problem is entirely solved. However, 
our community has gained much insight through recent results on how and to what 
extent we need to employ certain design principles to significantly reduce the effect 
of code-reuse attacks. 

The main purpose of this book is to provide readers with some of the most 
influential works on run-time exploits and defenses. We hope that this material 
will inspire readers and generate new ideas and paradigms. 

Per Larsen 

Ahmad-Reza Sadeghi 
Februaiy 2018 
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